RapLeaf Is Back and Bad As Ever

itwbennett writes "Privacy blogger Dan Tynan opted out of data aggregator RapLeaf back in 2010 — and wrote about it. At the time, opting out seemed to work well enough. But fast forward a couple of years and ... they're baaaack. While testing a privacy service called Safe Shepherd, Tynan discovered that 'not only [is he] not opted out of RapLeaf's database, they've also gathered far more information about [him] than they had before.' And it's a pretty good bet some of the data came from Facebook apps, which is a practice that the company was slapped for in 2010 and claimed to no longer do."

Cookie based opt-out

[Anonymous Coward]

Opt-out policy

This company provides a cookie based opt-out. An "opt-out cookie" is set by the browser. This provides a request that ads should not be customized through your web browsing activities and preferences. You will continue to receive ads but this company will not use this information to select behavioral ads you see online. You must opt-out again if cookies are deleted and required for each browser type and new computer. Third party cookies must be accepted for opt-out to work.

So, if you wipe your cookies, you "opt back in".

Re:Cookie based opt-out

[Anonymous Coward]

There are Firefox add-ons (and probably Chromium equivalents) that automatically give you opt-out cookies, and make sure they won't be deleted. Beef Taco comes to mind.

Re:Cookie based opt-out

[ben_shepherd]

There are two types of ways to opt out of Rapleaf that should be distinguished here. The more robust way (assuming they respect it) is to go through their "permanent opt-out" form (http://www.rapleaf.com/opt-out/), which removes you from their database. What the cookie opt-out does is disable their third party tracking of you as you browse the web. If you're interested in removing yourself from all of the major data broker and people search sites check out our manual opt out guides: http://blog.safeshepherd.com/how-to-block/ [safeshepherd.com] . Or better yet, give our service a try.. guarantee you it will save you a lot of time and worry if you care about these sites selling your personal information.

Re:

[Optimal Cynic]

I'd love to, but what kind of safeguards do you have? You ask for a lot of personal information, seems like creating a single point of potential failure to me. I think what you're doing is great, I'm just a bit paranoid about this.

Re:

[gandhi_2]

just a bit paranoid

Is that a twitter bird next you your id?

Re:

[Optimal Cynic]

Yeah, it's how I log in to Slashdot.

Re:

[ben_shepherd]

Hey there, we take privacy very seriously-- that's why we started Safe Shepherd. We go out of our way to encrypt as much info as possible through row-level encryption. Also we delete every single database row related to your account when you opt to cancel your service with us. Here's our privacy policy: https://www.safeshepherd.com/privacy [safeshepherd.com] . Feel free to hit us up with any questions, we're a 7 person organization and can respond to people individually.

Re:

[Optimal Cynic]

Thanks, that's pretty much the answer I was hoping for.

Re:

[HiThere]

That "assuming you trust them" is my real sticking point. I'd rather not give them any information (or any correct information) to start with.

What we need is a character generation application, sort of like you get on angband, but customized to provide random user information for web sites. And a small database that tracks which web site you give which character information to. The only hard part would be the browser interface, so that the browser would automatically give the right website the right char

Re:

[fast turtle]

and this is just one more reason I use noscript and a dedicated host file since the dial-up days (I've been on broadband for a decade) to block ads and such crap. I used to use Ghostery but after I realized they were collecting and selling the same information that Google and other advertisers were, I quit using them. Noscript works quite well in providing me the full path name of the annoyance so I can add it if needed to my host file. Another option I take full advantage of is the many free hosts files on

Re:

[Optimal Cynic]

Or you could use privoxy, which has URL matching, not just host blocking.

Re:

[sorak]

Is this company run by the kid who would steal anything that wasn't nailed down and then say "you didn't say I COULDN'T have it"?

Follow the money

[Jawnn]

This behavior not going away until it becomes to expensive, in terms of bad PR as well as fines, for dishonest practices. You either honor your customers' request/expectation of privacy or you don't. If you don't it should cost you. Currently it simply doesn't, so the so-called free market being what it is, we see rampant abuse like this. Mind you, the clueless legions who so blithely bend over to have their privacy raped by Facebook et al deserve a fair share of the blame here, but it is not realistic to expect most of them to fully understand just how bad an idea it is to let some of these go on. For that reason, regulation is in order, and I mean real regulation, with teeth and a budget to enforce it. I will not hold my breath.

Re:

[Joce640k]

Yep.

Earnings - fines = profit.

If earnings are bigger than fines then profit is a positive number. The fines are just operational overheads.

Re:

[HiThere]

If there were (real teeth in HIPAA privacy violations), medical agencies couldn't use web connected MSWindows machines.

So, yes, your point stands.

Re:

[Anonymous Coward]

This behavior not going away until it becomes to expensive, in terms of bad PR as well as fines, for dishonest practices. You either honor your customers' request/expectation of privacy or you don't. If you don't it should cost you. Currently it simply doesn't, so the so-called free market being what it is, we see rampant abuse like this. Mind you, the clueless legions who so blithely bend over to have their privacy raped by Facebook et al deserve a fair share of the blame here, but it is not realistic to expect most of them to fully understand just how bad an idea it is to let some of these go on. For that reason, regulation is in order, and I mean real regulation, with teeth and a budget to enforce it. I will not hold my breath.

This behavior will not go away until an individual is affected by it, in a very personal way (didn't get a job, lost a job, affected marriage, etc.). Then and only then will people wake up to the problems they are creating for themselves with an IDGAF attitude about privacy.

Until then, it will always be treated in the same way as unsafe sex. Bad shit will never happen to me, it's always "someone else".

Ignorance rules the planet right now.

Re:

[HiThere]

The behavior will continue until the individuals effected in the manner you specify are the people making the decisions about what business plans to pursue. And even then I expect that there would need to be about a decade of continual prosecutions and punishments to overcome the last several decades of improper conditioning.

Re:

[tlhIngan]

This behavior not going away until it becomes to expensive, in terms of bad PR as well as fines, for dishonest practices. You either honor your customers' request/expectation of privacy or you don't. If you don't it should cost you. Currently it simply doesn't, so the so-called free market being what it is, we see rampant abuse like this. Mind you, the clueless legions who so blithely bend over to have their privacy raped by Facebook et al deserve a fair share of the blame here, but it is not realistic to e

Re:

[Minupla]

Contrast this with say, buying an iPhone, in which case you're Apple's customer

Not quite true - otherwise Apple would not be in the advertising business (http://en.wikipedia.org/wiki/IAd)

In general, you can assume that any large company is treating you as the product. The only question is to what degree and if you're also a customer.

And if you bought a google nexus phone/tablet, you're also Google's customer as well as product.

Min

Re:

[VortexCortex]

Hint: You're not their customer. You're their product.

Hint: You're not my friend or follower, you're my target demographic.

Seriously, although I hate them and would rather folks join our forums or IRC, I must use social networks to connect with the community at large. I even bounce ideas off of them while letting interested folks know about what's up with the stuff (games) I'm working on. Also we get to share some other unrelated interests while we're at it.

As a "product" on the social networking sites I use them to subscribe to things I want to know about

Re:

[VortexCortex]

Seriously, although I hate them and would rather folks join our forums or IRC, I must use social networks to connect with the community at large.

Hmm... this could be taken to mean I hate the social networks, OR the community at large. Given the vast quantity of annoying idiots far outnumbering rational likeable folks, yeah, I'd say I hate most of "the community" for large values of "community". I hate social networks more that the worst of trolls though, but they're sadly a necessity. It's where people are.

Re:

[X0563511]

You do realize that the "clueless legions" you speak of have every right to place different values/definitions on their privacy, right? They do not have to care about it.

They should, but they don't have to. That's the wonderful thing about this world - we don't all think the same way.

Re:

[MagusSlurpy]

The older I get, the less I'm sure that I agree with your "Thy should care about privacy" statement. As long as these companies aren't calling me or spamming me, I don't really care. If they want to track my browsing habits, whatever. If they are really that interested in seeing that a guy who browses Slashdot also regularly visits HardOCP, RPS, Penny Arcade, Netflix, Facebook, and a few gaming community forums so they can sell that information to WalMart and Amazon, whatever.

Personally, I think the whol

Data harvesting: illegal, low-cost, high profits.

[h00manist]

Wikileaks showed us the way. The only thing left to talk about is public access to data, especially data on people in privileged positions.

Nothing can really be done to control black and gray market data. And, little or no actual control can be exerted on the "legal" companies and practices as well. Even if you manage to hide your own data through various means, it complicates and restricts life, and does nothing about the data of the rest of the population, which affects and includes your data.

The only

Opt Out?

[frootcakeuk]

I find it ironic yet unsurprising that the 'opt out' link doesn't work. https://www.rapleaf.com/opt_out [rapleaf.com]

Re:

[frootcakeuk]

Sorry, typo in the OP's provided link. It does work.

Re:

[preaction]

The opt-out link I found was https://www.rapleaf.com/opt-out [rapleaf.com] and it seems to work fine. Disclaimer: I hold no opinion on this site and what it does, I am interested only in well-reasoned arguments based on facts.

Re:

[macraig]

What makes you so bloody certain that it "works"? That the form and captcha simply appear at face value to be responsive? I actually entered an e-mail address which, if the process is actually "working" as expected, should have generated an e-mail challenge to verify that I owned said account and wasn't pranking an account I don't own. I've received no such challenge yet.

For all I know that form is simply a means to collect the e-mail addresses of people who they intend to data-mine even more intensely,

Re:

[X0563511]

The difference is that you have explicitly told them not to track you. If they continue to do so, things are a little bit differently, legally.

Re:

[preaction]

I don't know that it actually functions, like you I am not going to give them a real e-mail address just to test it. The link goes to a web page though, where as the person I was replying to had a bad URL. As mentioned, I'd rather light my torch and raise my pitchfork for a reasoned argument, and not a knee-jerk reaction based on a misspelling from - to _.

Re:Opt Out?

[macraig]

And BTW, that page relies on no less than 10 external "trackers", according to Ghostery:

AppNexus
DoubleClick
Google +1
Google AdWords Conversion
Google Analytics
HubSpot
MixPanel
Outbrain
ScoreCard Research Beacon
SnapEngage

People are quite likely collecting data on your choice to opt out....

Re:

[Sporkinum]

Isn't ghostery owned by Evidon, who also owns Rapleaf? I wouldn't trust either of them.
However, I wouldn't trust Safe Shepherd either as they are aggregating info as well.

Seem like best bet for yourself is to stop scripts from running and cookies from storing.
Also, most of that technology is rendered useless if you are blocking ads because you never see what their magic mojo is throwing at you.

Re:...Evidon, who also owns Rapleaf?

[TaoPhoenix]

"Isn't ghostery owned by Evidon, who also owns Rapleaf? I wouldn't trust either of them.
However, I wouldn't trust Safe Shepherd either as they are aggregating info as well."

Nice bit of homework there. Is there a more free/open plugin that does the same kind of thing that Ghostery does by providing lists of blocked trackers? I'd be happy to use that instead.

Re:

[magic maverick]

RequestPolicy will block all third party requests by default, which will block the cookies that come with it. (They do allow, by default, links between a site and it's CDN domain though.)

Re:

[X0563511]

AdblockPlus + easylist + easyprivacy + noscript (for the extra careful). Kind of hard for doubleclick to track me if I don't load resource from them and don't run their scripts!

I'm sure there are some items that slip through, but implementing them requires more significantly more coordination between the trackers and the site itself. I'd wager this gets rid of nearly all of it.

(and advertisements in general, which I -do-not-want- anyway. I know that's how sites get paid, frankly I don't care. Friendly fire.

Re:

[TaoPhoenix]

I got half way there - I have been using adblock for years. However, however flawed it might be, Ghostery at least pointed out those lists of cookie-whatever tracker companies that aren't actually serving ads.

I haven't heard about easyprivacy before, so I might look into that. I think I tried and abandoned noscript a few times because it's a bit too fierce and it became a lot of work to add-in the sites I wanted to run stuff (yahoo mail, monster jobs site, but a surprising number of others now escaping me.)

Re:

[X0563511]

Just a note: I'm sure some of those trackers are actually from the advertisements, which are loaded from third-party systems that the site does not have immediate control over.

Did/does the site have any kind of advertisements on it that you noticed?

Re: trackers are actually from the advertisements

[TaoPhoenix]

Hi there.

I didn't do any extensive analysis, which in some ways is my point - the data to do the analysis with on these kinds of questions eventually buries into "company proprietary info". To clarify, the other half of my point is that I am used to and sorta don't care that the top "newsrags" have a huge collection of stuff going on. Let's say that Ghostery works, and blocks them, and then Evidon does whatever they want later. In the modern age, I expect many sites to deploy stuff.

But I hold "privacy compa

Re:

[cheros]

Sadly, what you have done is not enough.

You missed Google fonts. Practically EVERY Wordpress template contains them as it's one of the few resources available to create a better design without having to license fonts for download. Google doesn't do that out of the gentleness of their non-existing hearts: every time you load a Wordpress page which uses Google fonts you create a hit on their fonts API.

Granted, if you nuke cookies they will not have a fully accurate lock on you as a person, but that's where

Re:

[macraig]

I dunno about that, but I can tell you that Ghostery blocks "Rapleaf" by default. If there was really something sinister there, I'd expect to see it quietly whitelisted.

Re:

[X0563511]

Does it actually block it, or does it only say that it does?

Re:

[Secret Agent Man]

Some cursory googling did not reveal any link between Evidon and Rapleaf. Got some sources to share?

Hmmm ...

[gstoddart]

So, you don't trust the company (which is a given), but somehow we're supposed to trust that opting-out actually does anything or causes them to delete anything?

If anything, it sounds like the fact that you opted out gave them more information about you and more reason to find more.

Opting out of this kind of shit is like "click here to unsubscribe" which comes with spam to make it look compliant -- they're not going to do it.

I mean, he's talking about logging into his account on their server to see what information they have about him -- I sure wouldn't sign up for this in the first place.

Laws need to change so the default position isn't "company can do whatever it wants without telling you". Of course, they'd scream and howl that it was cutting into their "freedom of speech" or corporate profits, but I don't see why it should be something which they decide how it gets used.

Triple take on the name

[Anonymous Coward]

Please tell me I'm not the only one who had to read the title three times to realize it's not called "RapeLeaf."

Re:

[Nemesisghost]

Nope, you are not the only one.

Re:

[MagusSlurpy]

If it makes you feel any better, I had to read it three times to realize that it had nothing to do with mad urban beetz.

How we verify opt-outs at Safe Shepherd

[ben_shepherd]

Hey guys, I'm Ben, a developer at Safe Shepherd. Data brokers and people search sites like Rapleaf have a bad habit of blocking or flat out ignoring opt out requests. Recently we implement a system of verified removals whereby we check whether the opted out record actually still appears on the data broker's website. This allows us to identify whether they're being generally honest and whether another opt-out needs to be sent on a case-by-case basis. I set up the verified removals to run as a daily cron task, so we can identify whether records re-appear even after they've been removed (yes, data brokers do this). Also fwiw we've written up some manual opt-out guides for all the major data brokers and people search sites in case you want to do the removals yourself rather than through our service: http://blog.safeshepherd.com/how-to-block/ [safeshepherd.com]

Re:

[ewhac]

It seems like, in order to get these nosy little snoops to stop snooping on you, you have to explicitly visit their site, provide them with even more info, and hope they keep their word that they won't compile data on you.

For those who are, shall we say, less sanguine about these companies being true to their word, can you suggest client-side methods users might try that either block the trackers' ability to collect data in the first place, or would give the trackers useless or conflicting data?

Re:

[ben_shepherd]

methods users might try that either block the trackers' ability to collect data in the first place

1. 1. Avoid publicly accessible pages on social sites like LinkedIn, OkCupid, Facebook. People search sites crawl these to build up their data sets. We recently added a social monitoring feature which will show you a snapshot of your social profiles from a non-logged in user perspective which can help with that.
2. 2. Practice safer browsing habits. Lots of plugins like Ghostery that can help with this.
3. 3. You're n

Re:

[BitZtream]

So if you can't view the photo IDs ... that means you can't use them for sending to anyone else to opt me out ... so why are you even storing them or asking for them? Do you fax out encrypted images for your users or something and expect some sort of fax-decrypter on the other end? Or is this some new quantum computing attribute where magically only the intended person can see it, because it exists in both an encrypted and decrypted superposition state?

Re:

[ben_shepherd]

Hey, sorry if that wasn't clear. Our app servers lack the SSH keys required to view the IDs under any circumstance, but our fax servers are capable of sending them as unencrypted images. This is setup so that a Rails glitch or console error can't result in the viewing of IDs.

Re:

[DMUTPeregrine]

RequestPolicy and NoScript for Firefox are quite handy for blocking trackers abilities to collect data. Also disallowing 3rd party cookies.

Re:

[yahwotqa]

Message received and decoded. Operation Pastry Badger is go.

Disclose Your IPs

[VortexCortex]

I think all companies should be required to disclose all their public facing IP addresses, and business parters that they share data with. This way we can create a web spider that can completely block all of one's traffic between yourself and the company. Think about it. The problem is that we don't know where our browsers are connecting to -- The browser does, but users typically don't know except for the address bar (which is only a small percentage of the connections made on a typical page). Seriously, if your browser popped up "Would you like me to send a request to 'DoubleClick.Net'? [y/N] [x] remember this choice" Would ANYONE actually say yes?

Re:

[genkernel]

Enter RequestPolicy [requestpolicy.com], an add-on for firefox that does essentially this.